def test_attributes_general(self, ldap_attribute_store):
ldap_to_internal_map = (self.ldap_attribute_store_config['default']
['ldap_to_internal_map'])
for dn, attributes in self.ldap_person_records:
# Mock up the internal response the LDAP attribute store is
# expecting to receive.
response = InternalData(auth_info=AuthenticationInformation())
# The LDAP attribute store configuration and the mock records
# expect to use a LDAP search filter for the uid attribute.
uid = attributes['uid']
response.attributes = {'uid': uid}
context = Context()
context.state = dict()
ldap_attribute_store.process(context, response)
# Verify that the LDAP attribute store has retrieved the mock
# records from the mock LDAP server and has added the appropriate
# internal attributes.
for ldap_attr, ldap_value in attributes.items():
if ldap_attr in ldap_to_internal_map:
internal_attr = ldap_to_internal_map[ldap_attr]
response_attr = response.attributes[internal_attr]
assert(ldap_value in response_attr)
def internal_response(self):
auth_info = AuthenticationInformation("auth_class_ref", "timestamp",
"issuer")
internal_response = InternalData(auth_info=auth_info)
internal_response.requester = "client"
internal_response.attributes = ATTRIBUTES
return internal_response
def _authn_response(self, context):
"""
Handles the authentication response from the AS.
:type context: satosa.context.Context
:rtype: satosa.response.Response
:param context: The context in SATOSA
:return: A SATOSA response. This method is only responsible to call the callback function
which generates the Response object.
"""
state_data = context.state[self.name]
aresp = self.consumer.parse_response(AuthorizationResponse,
info=json.dumps(context.request))
self._verify_state(aresp, state_data, context.state)
rargs = {
"code": aresp["code"],
"redirect_uri": self.redirect_url,
"state": state_data["state"]
}
atresp = self.consumer.do_access_token_request(request_args=rargs,
state=aresp["state"])
if "verify_accesstoken_state" not in self.config or self.config[
"verify_accesstoken_state"]:
self._verify_state(atresp, state_data, context.state)
user_info = self.user_information(atresp["access_token"])
internal_response = InternalData(
auth_info=self.auth_info(context.request))
internal_response.attributes = self.converter.to_internal(
self.external_type, user_info)
internal_response.subject_id = user_info[self.user_id_attr]
del context.state[self.name]
return self.auth_callback_func(context, internal_response)
def test_use_of_disco_or_redirect_to_idp_when_using_mdq_and_forceauthn_is_set_1(
self, context, sp_conf, idp_conf
):
sp_conf["metadata"]["inline"] = [create_metadata_from_config_dict(idp_conf)]
sp_conf["metadata"]["mdq"] = ["https://mdq.example.com"]
context.decorate(Context.KEY_FORCE_AUTHN, "1")
context.state[Context.KEY_MEMORIZED_IDP] = idp_conf["entityid"]
backend_conf = {
SAMLBackend.KEY_SP_CONFIG: sp_conf,
SAMLBackend.KEY_DISCO_SRV: DISCOSRV_URL,
SAMLBackend.KEY_MEMORIZE_IDP: True,
SAMLBackend.KEY_MIRROR_FORCE_AUTHN: True,
}
samlbackend = SAMLBackend(
None, INTERNAL_ATTRIBUTES, backend_conf, "base_url", "saml_backend"
)
resp = samlbackend.start_auth(context, InternalData())
assert_redirect_to_discovery_server(resp, sp_conf, DISCOSRV_URL)
backend_conf[SAMLBackend.KEY_USE_MEMORIZED_IDP_WHEN_FORCE_AUTHN] = True
samlbackend = SAMLBackend(
None, INTERNAL_ATTRIBUTES, backend_conf, "base_url", "saml_backend"
)
resp = samlbackend.start_auth(context, InternalData())
assert_redirect_to_idp(resp, idp_conf)
def internal_request(self):
req = InternalData(
subject_type=NAMEID_FORMAT_PERSISTENT,
requester="example_requester",
)
req.attributes = FILTER + ["sn"]
return req
def handle_response(self, context):
auth_info = AuthenticationInformation("test", str(datetime.now()),
"test_issuer")
internal_resp = InternalData(auth_info=auth_info)
internal_resp.attributes = context.request
internal_resp.user_id = "test_user"
return self.auth_callback_func(context, internal_resp)
def internal_response(self, idp_conf):
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z",
idp_conf["entityid"])
internal_response = InternalData(auth_info=auth_info)
internal_response.attributes = AttributeMapper(
INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"])
return internal_response
def _authn_response(self, context):
state_data = context.state[self.name]
aresp = self.consumer.parse_response(AuthorizationResponse,
info=json.dumps(context.request))
self._verify_state(aresp, state_data, context.state)
url = self.config['server_info']['token_endpoint']
data = dict(
grant_type='authorization_code',
code=aresp['code'],
redirect_uri=self.redirect_url,
client_id=self.config['client_config']['client_id'],
client_secret=self.config['client_secret'],
)
r = requests.post(url, data=data)
response = r.json()
if self.config.get('verify_accesstoken_state', True):
self._verify_state(response, state_data, context.state)
user_info = self.user_information(response["access_token"])
auth_info = self.auth_info(context.request)
internal_response = InternalData(auth_info=auth_info)
internal_response.attributes = self.converter.to_internal(
self.external_type, user_info)
internal_response.subject_id = user_info[self.user_id_attr]
del context.state[self.name]
return self.auth_callback_func(context, internal_response)
def _authn_response(self, context):
state_data = context.state[self.name]
aresp = self.consumer.parse_response(
AuthorizationResponse, info=json.dumps(context.request))
self._verify_state(aresp, state_data, context.state)
url = self.config['server_info']['token_endpoint']
data = dict(
grant_type='authorization_code',
code=aresp['code'],
redirect_uri=self.redirect_url,
client_id=self.config['client_config']['client_id'],
client_secret=self.config['client_secret'], )
r = requests.post(url, data=data)
response = r.json()
if self.config.get('verify_accesstoken_state', True):
self._verify_state(response, state_data, context.state)
user_info = self.user_information(response["access_token"])
auth_info = self.auth_info(context.request)
internal_response = InternalData(auth_info=auth_info)
internal_response.attributes = self.converter.to_internal(
self.external_type, user_info)
internal_response.subject_id = user_info[self.user_id_attr]
del context.state[self.name]
return self.auth_callback_func(context, internal_response)
def setup_for_authn_response(self, context, frontend, auth_req):
context.state[frontend.name] = {"oidc_request": auth_req.to_urlencoded()}
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml")
internal_response = InternalData(auth_info=auth_info)
internal_response.attributes = AttributeMapper(INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"])
internal_response.subject_id = USERS["testuser1"]["eduPersonTargetedID"][0]
return internal_response
def test_perun_identity_none_user(self, mock_adapter):
mock_adapter.get_perun_user.return_value = None
service = self.create_perun_identity_service()
service.adapter = mock_adapter
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = self.ATTRIBUTES
returned_service = service.process(None, resp)
assert 'perun_id' not in returned_service.attributes.keys()
def test_filter_attribute_not_in_response(self):
attribute_filters = {"": {"": {"a0": "foo:bar"}}}
filter_service = self.create_filter_service(attribute_filters)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a1": ["abc:xyz", "1:foo:bar:2"],
}
filtered = filter_service.process(None, resp)
assert filtered.attributes == {"a1": ["abc:xyz", "1:foo:bar:2"]}
def test_auth_resp_callback_func_respects_user_id_to_attr(self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["user_id_to_attr"] = "user_id"
base = SATOSABase(satosa_config)
internal_resp = InternalData(auth_info=AuthenticationInformation("", "", ""))
internal_resp.subject_id = "user1234"
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
base._auth_resp_callback_func(context, internal_resp)
assert internal_resp.attributes["user_id"] == [internal_resp.subject_id]
def test_perun_identity_test_user(self, mock_adapter):
user = User(1, 'Test user')
mock_adapter.get_perun_user.return_value = user
service = self.create_perun_identity_service()
service.adapter = mock_adapter
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = self.ATTRIBUTES
returned_service = service.process(None, resp)
assert 'perun_id' in returned_service.attributes.keys()
assert returned_service.attributes.get('perun_id') == [user.id]
def test_filter_one_attribute_for_one_target_provider(self):
target_provider = "test_provider"
attribute_filters = {target_provider: {"": {"a1": "foo:bar"}}}
filter_service = self.create_filter_service(attribute_filters)
resp = InternalData(auth_info=AuthenticationInformation(
issuer=target_provider))
resp.attributes = {
"a1": ["abc:xyz", "1:foo:bar:2"],
}
filtered = filter_service.process(None, resp)
assert filtered.attributes == {"a1": ["1:foo:bar:2"]}
def test_filter_one_attribute_from_all_target_providers_for_all_requesters(
self):
attribute_filters = {"": {"": {"a2": "^foo:bar$"}}}
filter_service = self.create_filter_service(attribute_filters)
resp = InternalData(AuthenticationInformation())
resp.attributes = {
"a1": ["abc:xyz"],
"a2": ["foo:bar", "1:foo:bar:2"],
}
filtered = filter_service.process(None, resp)
assert filtered.attributes == {"a1": ["abc:xyz"], "a2": ["foo:bar"]}
def test_auth_req_callback_stores_state_for_consent(self, context, satosa_config):
base = SATOSABase(satosa_config)
context.target_backend = satosa_config["BACKEND_MODULES"][0]["name"]
requester_name = [{"lang": "en", "text": "Test EN"}, {"lang": "sv", "text": "Test SV"}]
internal_req = InternalData(
subject_type=NAMEID_FORMAT_TRANSIENT, requester_name=requester_name,
)
internal_req.attributes = ["attr1", "attr2"]
base._auth_req_callback_func(context, internal_req)
assert context.state[consent.STATE_KEY]["requester_name"] == internal_req.requester_name
assert context.state[consent.STATE_KEY]["filter"] == internal_req.attributes
def test_generate_static(self):
synthetic_attributes = {"": {"default": {"a0": "value1;value2"}}}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a1": ["*****@*****.**"],
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert ("value1" in resp.attributes['a0'])
assert ("value2" in resp.attributes['a0'])
assert ("*****@*****.**" in resp.attributes['a1'])
def _handle_authn_request(self, context):
"""
Parse and verify the authentication request into an internal request.
:type context: satosa.context.Context
:rtype: satosa.internal.InternalData
:param context: the current context
:return: the internal request
"""
request = urlencode(context.request)
msg = "Authn req from client: {}".format(request)
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state),
message=msg)
logger.debug(logline)
try:
authn_req = self.provider.parse_authentication_request(request)
except InvalidAuthenticationRequest as e:
msg = "Error in authn req: {}".format(str(e))
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state),
message=msg)
logger.error(logline)
error_url = e.to_error_url()
if error_url:
return SeeOther(error_url)
else:
return BadRequest("Something went wrong: {}".format(str(e)))
client_id = authn_req["client_id"]
context.state[self.name] = {"oidc_request": request}
subject_type = self.provider.clients[client_id].get(
"subject_type", "pairwise")
client_name = self.provider.clients[client_id].get("client_name")
if client_name:
# TODO should process client names for all languages, see OIDC Registration, Section 2.1
requester_name = [{"lang": "en", "text": client_name}]
else:
requester_name = None
internal_req = InternalData(
subject_type=subject_type,
requester=client_id,
requester_name=requester_name,
)
internal_req.attributes = self.converter.to_internal_filter(
"openid",
self._get_approved_attributes(
self.provider.configuration_information["claims_supported"],
authn_req))
return internal_req
def test_auth_resp_callback_func_user_id_from_attrs_is_used_to_override_user_id(self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["user_id_from_attrs"] = ["user_id", "domain"]
base = SATOSABase(satosa_config)
internal_resp = InternalData(auth_info=AuthenticationInformation("", "", ""))
internal_resp.attributes = {"user_id": ["user"], "domain": ["@example.com"]}
internal_resp.requester = "test_requester"
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
base._auth_resp_callback_func(context, internal_resp)
expected_user_id = "*****@*****.**"
assert internal_resp.subject_id == expected_user_id
def test_allow_one_requester(self, target_context):
rules = {
TARGET_ENTITY: {
"allow": ["test_requester"],
}
}
decide_service = self.create_decide_service(rules)
req = InternalData(requester="test_requester")
assert decide_service.process(target_context, req)
req.requester = "somebody else"
with pytest.raises(SATOSAError):
decide_service.process(target_context, req)
def test_generate_static(self):
synthetic_attributes = {
"": { "default": {"a0": "value1;value2" }}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a1": ["*****@*****.**"],
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert("value1" in resp.attributes['a0'])
assert("value2" in resp.attributes['a0'])
assert("*****@*****.**" in resp.attributes['a1'])
def test_authz_deny_fail(self):
attribute_deny = {"": {"default": {"a0": ['foo1', 'foo2']}}}
attribute_allow = {}
authz_service = self.create_authz_service(attribute_allow,
attribute_deny)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a0": ["foo3"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def test_discovery_server_set_in_context(self, context, sp_conf):
discosrv_url = 'https://my.org/saml_discovery_service'
context.decorate(
SAMLBackend.KEY_SAML_DISCOVERY_SERVICE_URL, discosrv_url
)
resp = self.samlbackend.start_auth(context, InternalData())
assert_redirect_to_discovery_server(resp, sp_conf, discosrv_url)
def _handle_consent_response(self, context):
"""
Endpoint for handling consent service response
:type context: satosa.context.Context
:rtype: satosa.response.Response
:param context: response context
:return: response
"""
consent_state = context.state[STATE_KEY]
saved_resp = consent_state["internal_resp"]
internal_response = InternalData.from_dict(saved_resp)
hash_id = self._get_consent_id(internal_response.requester, internal_response.subject_id,
internal_response.attributes)
try:
consent_attributes = self._verify_consent(hash_id)
except ConnectionError as e:
satosa_logging(logger, logging.ERROR,
"Consent service is not reachable, no consent given.", context.state)
# Send an internal_response without any attributes
consent_attributes = None
if consent_attributes is None:
satosa_logging(logger, logging.INFO, "Consent was NOT given", context.state)
# If consent was not given, then don't send any attributes
consent_attributes = []
else:
satosa_logging(logger, logging.INFO, "Consent was given", context.state)
internal_response.attributes = self._filter_attributes(internal_response.attributes, consent_attributes)
return self._end_consent(context, internal_response)
def test_redirect_to_idp_if_only_one_idp_in_metadata(self, context, sp_conf, idp_conf):
sp_conf["metadata"]["inline"] = [create_metadata_from_config_dict(idp_conf)]
# instantiate new backend, without any discovery service configured
samlbackend = SAMLBackend(None, INTERNAL_ATTRIBUTES, {"sp_config": sp_conf}, "base_url", "saml_backend")
resp = samlbackend.start_auth(context, InternalData())
assert_redirect_to_idp(resp, idp_conf)
def test_authz_deny_fail(self):
attribute_deny = {
"": { "default": {"a0": ['foo1','foo2']} }
}
attribute_allow = {}
authz_service = self.create_authz_service(attribute_allow, attribute_deny)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"a0": ["foo3"],
}
try:
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
except SATOSAAuthenticationError as ex:
assert False
def _handle_al_response(self, context):
"""
Endpoint for handling account linking service response. When getting here
user might have approved or rejected linking their account
:type context: satosa.context.Context
:rtype: satosa.response.Response
:param context: The current context
:return: response
"""
saved_state = context.state[self.name]
internal_response = InternalData.from_dict(saved_state)
#subject_id here is the linked id , not the facebook one, Figure out what to do
status_code, message = self._get_uuid(context, internal_response.auth_info.issuer, internal_response.attributes['issuer_user_id'])
if status_code == 200:
satosa_logging(logger, logging.INFO, "issuer/id pair is linked in AL service",
context.state)
internal_response.subject_id = message
if self.id_to_attr:
internal_response.attributes[self.id_to_attr] = [message]
del context.state[self.name]
return super().process(context, internal_response)
else:
# User selected not to link their accounts, so the internal.response.subject_id is based on the
# issuers id/sub which is fine
satosa_logging(logger, logging.INFO, "User selected to not link their identity in AL service",
context.state)
del context.state[self.name]
return super().process(context, internal_response)
def test_entire_flow(self, context):
"""Tests start of authentication (incoming auth req) and receiving auth response."""
responses.add(responses.POST,
"https://graph.facebook.com/v2.5/oauth/access_token",
body=json.dumps({
"access_token": "qwerty",
"token_type": "bearer",
"expires_in": 9999999999999
}),
status=200,
content_type='application/json')
self.setup_facebook_response()
context.path = 'facebook/sso/redirect'
internal_request = InternalData(subject_type=NAMEID_FORMAT_TRANSIENT,
requester='test_requester')
self.fb_backend.start_auth(context, internal_request, mock_get_state)
context.request = {
"code": FB_RESPONSE_CODE,
"state": mock_get_state.return_value
}
self.fb_backend._authn_response(context)
assert self.fb_backend.name not in context.state
self.assert_expected_attributes()
def test_start_auth_redirects_directly_to_mirrored_idp(
self, context, idp_conf):
entityid = idp_conf["entityid"]
context.decorate(Context.KEY_TARGET_ENTITYID, entityid)
resp = self.samlbackend.start_auth(context, InternalData())
assert_redirect_to_idp(resp, idp_conf)
def test_allow_takes_precedence_over_deny_all(self, target_context):
requester = "test_requester"
rules = {
TARGET_ENTITY: {
"allow": requester,
"deny": ["*"],
}
}
decide_service = self.create_decide_service(rules)
req = InternalData(requester=requester)
assert decide_service.process(target_context, req)
req.requester = "somebody else"
with pytest.raises(SATOSAError):
decide_service.process(target_context, req)
def test_generate_mustache2(self):
synthetic_attributes = {
"": { "default": {"a0": "{{kaka.first}}#{{eppn.scope}}" }}
}
authz_service = self.create_syn_service(synthetic_attributes)
resp = InternalData(auth_info=AuthenticationInformation())
resp.attributes = {
"kaka": ["kaka1","kaka2"],
"eppn": ["*****@*****.**","*****@*****.**"]
}
ctx = Context()
ctx.state = dict()
authz_service.process(ctx, resp)
assert("kaka1#example.com" in resp.attributes['a0'])
assert("kaka1" in resp.attributes['kaka'])
assert("*****@*****.**" in resp.attributes['eppn'])
assert("*****@*****.**" in resp.attributes['eppn'])
def test_auth_resp_callback_func_hashes_all_specified_attributes(self, context, satosa_config):
satosa_config["INTERNAL_ATTRIBUTES"]["hash"] = ["user_id", "mail"]
base = SATOSABase(satosa_config)
attributes = {"user_id": ["user"], "mail": ["*****@*****.**", "*****@*****.**"]}
internal_resp = InternalData(auth_info=AuthenticationInformation("", "", ""))
internal_resp.attributes = copy.copy(attributes)
internal_resp.subject_id = "test_user"
context.state[satosa.base.STATE_KEY] = {"requester": "test_requester"}
context.state[satosa.routing.STATE_KEY] = satosa_config["FRONTEND_MODULES"][0]["name"]
base._auth_resp_callback_func(context, internal_resp)
for attr in satosa_config["INTERNAL_ATTRIBUTES"]["hash"]:
assert internal_resp.attributes[attr] == [
util.hash_data(satosa_config.get("USER_ID_HASH_SALT", ""), v)
for v in attributes[attr]
]
def _translate_response(self, response, issuer):
"""
Translates oidc response to SATOSA internal response.
:type response: dict[str, str]
:type issuer: str
:type subject_type: str
:rtype: InternalData
:param response: Dictioary with attribute name as key.
:param issuer: The oidc op that gave the repsonse.
:param subject_type: public or pairwise according to oidc standard.
:return: A SATOSA internal response.
"""
auth_info = AuthenticationInformation(UNSPECIFIED, str(datetime.now()), issuer)
internal_resp = InternalData(auth_info=auth_info)
internal_resp.attributes = self.converter.to_internal("openid", response)
internal_resp.subject_id = response["sub"]
return internal_resp
def from_dict(cls, data):
instance = InternalData.from_dict(data)
instance.attributes = data.get("attributes") or data.get(
"approved_attributes")
instance.subject_type = data.get("subject_type") or data.get(
"user_id_hash_type")
instance.subject_id = (data.get("subject_id") or data.get("user_id")
or data.get("name_id"))
return instance
def _handle_authn_request(self, context):
"""
Parse and verify the authentication request into an internal request.
:type context: satosa.context.Context
:rtype: satosa.internal.InternalData
:param context: the current context
:return: the internal request
"""
request = urlencode(context.request)
satosa_logging(logger, logging.DEBUG, "Authn req from client: {}".format(request),
context.state)
try:
authn_req = self.provider.parse_authentication_request(request)
except InvalidAuthenticationRequest as e:
satosa_logging(logger, logging.ERROR, "Error in authn req: {}".format(str(e)),
context.state)
error_url = e.to_error_url()
if error_url:
return SeeOther(error_url)
else:
return BadRequest("Something went wrong: {}".format(str(e)))
client_id = authn_req["client_id"]
context.state[self.name] = {"oidc_request": request}
subject_type = self.provider.clients[client_id].get("subject_type", "pairwise")
client_name = self.provider.clients[client_id].get("client_name")
if client_name:
# TODO should process client names for all languages, see OIDC Registration, Section 2.1
requester_name = [{"lang": "en", "text": client_name}]
else:
requester_name = None
internal_req = InternalData(
subject_type=subject_type,
requester=client_id,
requester_name=requester_name,
)
internal_req.attributes = self.converter.to_internal_filter(
"openid", self._get_approved_attributes(self.provider.configuration_information["claims_supported"],
authn_req))
return internal_req
def _authn_response(self, context):
aresp = self.consumer.parse_response(
AuthorizationResponse, info=json.dumps(context.request))
url = self.config['server_info']['token_endpoint']
data = dict(
grant_type='authorization_code',
code=aresp['code'],
redirect_uri=self.redirect_url,
client_id=self.config['client_config']['client_id'],
client_secret=self.config['client_secret'], )
headers = {'Accept': 'application/json'}
r = requests.post(url, data=data, headers=headers)
response = r.json()
token = response['access_token']
orcid, name = response['orcid'], response['name']
user_info = self.user_information(token, orcid, name)
auth_info = self.auth_info(context.request)
internal_response = InternalData(auth_info=auth_info)
internal_response.attributes = self.converter.to_internal(
self.external_type, user_info)
internal_response.subject_id = orcid
return self.auth_callback_func(context, internal_response)
def _handle_authn_request(self, context, binding_in, idp):
"""
See doc for handle_authn_request method.
:type context: satosa.context.Context
:type binding_in: str
:type idp: saml.server.Server
:rtype: satosa.response.Response
:param context: The current context
:param binding_in: The pysaml binding type
:param idp: The saml frontend idp server
:return: response
"""
req_info = idp.parse_authn_request(context.request["SAMLRequest"], binding_in)
authn_req = req_info.message
satosa_logging(logger, logging.DEBUG, "%s" % authn_req, context.state)
try:
resp_args = idp.response_args(authn_req)
except SAMLError as e:
satosa_logging(logger, logging.ERROR, "Could not find necessary info about entity: %s" % e, context.state)
return ServiceError("Incorrect request from requester: %s" % e)
requester = resp_args["sp_entity_id"]
context.state[self.name] = self._create_state_data(context, idp.response_args(authn_req),
context.request.get("RelayState"))
subject = authn_req.subject
name_id_value = subject.name_id.text if subject else None
nameid_formats = {
"from_policy": authn_req.name_id_policy and authn_req.name_id_policy.format,
"from_response": subject and subject.name_id and subject.name_id.format,
"from_metadata": (
idp.metadata[requester]
.get("spsso_descriptor", [{}])[0]
.get("name_id_format", [{}])[0]
.get("text")
),
"default": NAMEID_FORMAT_TRANSIENT,
}
name_id_format = (
nameid_formats["from_policy"]
or (
nameid_formats["from_response"] != NAMEID_FORMAT_UNSPECIFIED
and nameid_formats["from_response"]
)
or nameid_formats["from_metadata"]
or nameid_formats["from_response"]
or nameid_formats["default"]
)
requester_name = self._get_sp_display_name(idp, requester)
internal_req = InternalData(
subject_id=name_id_value,
subject_type=name_id_format,
requester=requester,
requester_name=requester_name,
)
idp_policy = idp.config.getattr("policy", "idp")
if idp_policy:
internal_req.attributes = self._get_approved_attributes(
idp, idp_policy, requester, context.state
)
return self.auth_req_callback_func(context, internal_req)
def handle_response(self, context):
auth_info = AuthenticationInformation("test", str(datetime.now()), "test_issuer")
internal_resp = InternalData(auth_info=auth_info)
internal_resp.attributes = context.request
internal_resp.user_id = "test_user"
return self.auth_callback_func(context, internal_resp)
def internal_response(self):
auth_info = AuthenticationInformation("auth_class_ref", "timestamp", "issuer")
internal_response = InternalData(auth_info=auth_info)
internal_response.subject_id = "user1"
return internal_response
def internal_response(self, idp_conf):
auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", idp_conf["entityid"])
internal_response = InternalData(auth_info=auth_info)
internal_response.attributes = AttributeMapper(INTERNAL_ATTRIBUTES).to_internal("saml", USERS["testuser1"])
return internal_response
